Data mining algorithms adopted for trusted execution environment
Abstract
Distributed systems for protecting networked computer assets from compromise are disclosed. The distributed system includes one or more enterprise event sources, such as endpoint(s). The system also includes a server, such as a Big Data Analytics server, and optionally a security management server such as a Security Information and Event Management server. The Big Data Analytics server processes data collected from the enterprise event sources and produces behavioral profile models for each endpoint (or group of similar endpoints). The profiles, models, and ontology analysis are provided to the endpoints. Endpoint analytics use the output from the analytics servers to detect deviations from the endpoint's behavioral profile.
Claims
exact text as granted — not AI-modifiedWe claim:
1. A storage disk or storage device comprising instructions that, when executed, cause one or more servers to:
create executable instructions associated with endpoint rules and an endpoint ontology model, the endpoint rules to extract events from process behaviors of a plurality of endpoints, the executable instructions to cause a first endpoint to:
generate a first event sequence by arranging first events extracted from first process behaviors performed by the first endpoint into the first event sequence, the first events extracted based on the endpoint rules, at least one of the first events corresponding to a call to an operating system;
generate a third event sequence to determine a correlation fit by attempting to correlate the first event sequence to stored second event sequences of the endpoint ontology model by applying a hidden Markov model to the first event sequence and the second event sequences of the endpoint ontology model, the second event sequences corresponding to known attack patterns, the third event sequence including second events, one or more of the second events being different from one or more of the first events; and
generate a first security alert when the correlation fit satisfies a threshold;
update the endpoint ontology model based on security event data associated with security alerts associated with respective ones of the plurality of endpoints, the security alerts including the first security alert; and
transmit the updated endpoint ontology model to the plurality of endpoints to identify a future attack at one or more of the plurality of endpoints.
2. The storage disk or storage device of claim 1 , wherein the instructions, when executed, cause the one or more servers to transmit the updated endpoint ontology model to trusted execution environments within respective ones of the plurality of endpoints.
3. The storage disk or storage device of claim 1 , wherein the executable instructions are associated with an endpoint behavioral profile including at least one of one or more setup parameters, one or more configurations, or one or more expected behaviors associated with the first endpoint.
4. The storage disk or storage device of claim 1 , wherein the security event data corresponds to a dynamically obtained event or a statically-extracted feature.
5. The storage disk or storage device of claim 4 , wherein the dynamically obtained event is the call to the operating system.
6. The storage disk or storage device of claim 4 , wherein the statically-extracted feature is an indication that the call to the operating system was found in a decompiled application.
7. The storage disk or storage device of claim 1 , wherein the endpoint ontology model includes at least one of an identity, a relationship graph, or an activity.
8. The storage disk or storage device of claim 1 , wherein the endpoint ontology model includes an ontology of a compromised endpoint.
9. The storage disk or storage device of claim 8 , wherein the security event data indicates a correlation of a behavior of the first endpoint with the ontology of the compromised endpoint.
10. A storage disk or storage device comprising instructions that, when executed, cause an endpoint to at least:
extract first events from process behaviors performed by the endpoint using endpoint rules from one or more servers, at least one of the first events corresponding to a call to an operating system of the endpoint;
generate a first event sequence by arranging two or more of the first events into the first event sequence;
generate a third event sequence to determine a correlation fit by attempting to correlate the first event sequence to stored second event sequences of an endpoint ontology model from the one or more servers by applying a hidden Markov model to the first event sequence and the second event sequences of the endpoint ontology model, the second event sequences corresponding to known attack patterns, the third event sequence including second events, one or more of the second events being different from one or more of the first events;
generate a security alert when the correlation fit satisfies a threshold; and
transmit security event data associated with the security alert to the one or more servers to facilitate an update of the endpoint ontology model to identify a future attack.
11. The storage disk or storage device of claim 10 , wherein the endpoint rules and the endpoint ontology model are stored in a trusted execution environment of the endpoint.
12. The storage disk or storage device of claim 10 , wherein the instructions, when executed, cause the endpoint to compare the process behaviors to an endpoint behavioral profile, the endpoint behavioral profile to include at least one of: one or more setup parameters, one or more configurations, or one or more expected behaviors.
13. The storage disk or storage device of claim 10 , wherein the endpoint ontology model includes an ontology of a compromised endpoint.
14. The storage disk or storage device of claim 13 , wherein the instructions cause the endpoint to determine the correlation fit by attempting to correlate the process behaviors of the endpoint with the ontology of the compromised endpoint.
15. An endpoint for detecting threats in a computer network, the endpoint comprising:
one or more processors; and
memory including instructions that, when executed, cause the one or more processors to:
extract first events from process behaviors performed by the endpoint using endpoint rules from one or more servers, at least one of the first events corresponding to a call to an operating system of the endpoint;
generate a first event sequence by arranging two or more of the first events into the first event sequence;
generate a third event sequence to determine a correlation fit by attempting to correlate the first event sequence to stored second event sequences of an endpoint ontology model from the one or more servers by applying a hidden Markov model to the first event sequence and the second event sequences of the endpoint ontology model, the second event sequences corresponding to known attack patterns, the third event sequence including second events, one or more of the second events being different from one or more of the first events;
generate a security alert when the correlation fit satisfies a threshold; and
transmit security event data associated with the security alert to the one or more servers to facilitate an update of the endpoint ontology model to detect suspicious behavior patterns at one or more of a plurality of endpoints including the endpoint.
16. The endpoint of claim 15 , wherein the instructions, when executed, cause the endpoint to compare the process behaviors to an endpoint behavioral profile, the endpoint behavioral profile to include at least one of: one or more setup parameters, one or more configurations, or one or more expected behaviors.
17. The endpoint of claim 15 , wherein the endpoint rules and the endpoint ontology model are accessible within a trusted execution environment.
18. The endpoint of claim 15 , wherein the endpoint ontology model is of a compromised endpoint.
19. A method of detecting threats in a computer network, the method comprising:
extracting first events from process behaviors performed by an endpoint using endpoint rules from one or more servers, at least one of the first events corresponding to a call to an operating system of the endpoint;
generating a first event sequence by arranging ones of the first events into the first event sequence;
generating a third event sequence to determine a correlation fit by attempting to correlate the first event sequence to stored second event sequences of an endpoint ontology model from the one or more servers by applying a hidden Markov model to the first event sequence and the second event sequences of the endpoint ontology model, the second event sequences corresponding to known attack patterns, the third event sequence including second events, one or more of the second events being different from one or more of the first events; and
when the correlation fit satisfies a threshold, transmitting security event data to the one or more servers to facilitate an update of the endpoint ontology model to identify a future attack at one or more of a plurality of endpoints including the endpoint.
20. The method of claim 19 , wherein the endpoint ontology model is of a compromised endpoint.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.